Sign in

Sign in to confirm

App Permissions Explained – What Do They Really Mean?

Steven Blum2012-10-16T17:07:50ZOct 16, 2012

Steven Blum
Steven Blum has written more than 2,000 blog posts as a founding member of AndroidPIT's English editorial team. A graduate of the University of Washington, Steven Blum also studied Journalism at George Washington University in Washington D.C. for two years. Since then, his writing has appeared in The Stranger, The Seattle P-I, Blackbook Magazine and Venture Villlage. He loves the HTC One and hopes the company behind it still exists in a few years.

Every time you want to install an app from the Google Play store, you're made to sign-off on a number of different app permissions. Unfortunately, it's not always easy to understand what you're permitting an app to do. Because of the confusion over intrusive permissions, many people have simply uninstalled suspicious-sounding apps. When should you uninstall an app because of its creepy permissions and when are said permissions warranted? Below you can find an overview of some of the most common permissions and what they mean for you and your phone.

Directly call phone numbers

What it sounds like. This app permission allows apps to dial phone numbers without notifying you first. Apps like Skype or Google Talk require this permission for obvious purposes. Malicious apps can exploit this authorization to secretly call paid numbers without your knowledge. If the app is asking for this permission and has nothing to do with making phone calls, stay far, far away.

Send SMS messages

Beware of any non-SMS app asking for this permission. Malicious apps can send messages without your permission, incurring large bills.

Modify or delete USB storage

If an app asks for this permission, it can acess your entire memory, and read, edit and delete your data. You should be very wary of apps asking for this permission. In combination with access to the Internet, an app could upload private photos to a website. A special note: all apps are granted this permission in any Android operating system below Android 1.5. You've got to be extra careful if you're working with an older version of Android.

Read and change my contacts

Pretty self-explanatory. This app may not actually change your contacts, just access them. SMS, social networking and address book apps tend to use this permission, but for other apps it is usually unncessary. As your contacts data is very sensitive, extreme caution is advised here.

Bookmark web pages and read web history

Alternative browsers, back-up tools and possibly some social networking apps need these permissions. But if a game is asking for them, it should set off alarm bells since the app may want to spy on your browsing behavior.

Read sensitive log data

This permission is very important! It allows apps to read log data from other apps. Sometimes this log data is very sensitive and apps shouldn't need that permission. There are some exceptions, like the Twitter app Plume which needs the permission to submit detailed bug reports to developers. But watch out for other apps.

Read phone state and identity

This permission is a double-edged sword. On the one hand, it's normal for any app to read your phone state so that the app can be interrupted when, for example, you need to take a call. But on the other hand, the app gains access to two device numbers: your IMEI and IMSI. Many app developers use these numbers to protect their apps from piracy, but theoretically they could also use these numbers to locate you.

Fine GPS Location

This permission tells the app where you are, located by GPS satellites. It is needed by navigation or location-based apps, but could also be abused for advertising purposes.

Coarse Network-based Location

Almost identical functionality as the above, but less accurate than the GPS at finding your location.

Create Bluetooth connections

Apps for wireless transmission require this right, so that your files can be communicated via Bluetooth. usually, this notification is relatively harmless.

Full Internet access

With this privilege, you have to be extra careful! As the name suggests, the app receives full access to the Internet. Data can be uploaded without your knowledge. many apps need this permission to work at all, but just as many apps do not. In combination with other permissions, this app can quickly cause widespread damage. You should therefore consider carefully before installing whether or not an app really needs this permission.

View Network status / WiFi state

This tells an app when you are in the vicinity of WiFi. Pretty harmless.

Manage Accounts

Allows an app to find out what accounts you have and connect with them. The best example of this app permission is the Facebook app, which allows you to sign into your Facebook account through the app. But watch out for apps like games or recipe apps that want to manage your accounts, because there is a theoretical possibility that a malicious app could delete your Google account from your device.

Use credentials

This app permission allows any application the authorization to use your account. They do this typically be giving what's called an AuthToken depending on what account you're using (Google / Faebook /Yahoo, etc.). Typically, your account password is protected from the app. But you should still use great caution before installing an app that asks for this permission.

Install Packages (Apps)

This app permission is important for alternative app stores (like AndroidPIT).

Prevent phone from sleeping

Video players and other apps need this permission to prevent your screen from turning off while you're watching a video or playing a game.

Read sync settings

This allows an application to know if you have background data sync (for Gmail, for example) turned on or off.

Kill background processes

Allows an app to stop other apps. This can lead to data loss. Task Managers typically are granted this permission.

Control vibrator

Don't laugh! This permission is pretty harmless. It simply allows an app to control the vibrating function on your phone.

Take photos or video

Alternative camera apps require this right in order to take photographs. Theoretically, a malicious app can secretly take pictures and distribute them on the Internet but, in practice, it's quite hard for an app to operate your camera.

Conclusion:

Of course you should always read app permissions carefully and consider whether the app you're downloading really needs permissiont to do xxx. When in doubt, read the reviews: if others have found the app to be a malware-infested piece of crap, you'll be able to find that out pretty quickly. While there are malicious apps out there, you can avoid them by using common sense. There are enough great apps in Google Play that you shouldn't have to install one that makes you worry.

Comments

1) "Read sensitive log data": Latest with Android 4.2, apps no longer get access to other apps' log entries. This permission was moved to protection-level "SignatureOrSystem", so only system apps (or apps signed with the same key as the ROM itself) can use it.2) "Read phone state and identity": Confusion here is that this is the "officially recommended way" to detect incoming calls. And if a (new) dev reads this recommendation, he tends to believe it and stops looking further. However, there are other means to achieve the same: the phone state (off hook, ringing, etc) can be obtained without that permission. And to avoid permanently polling for this info, the app could register for the onAudioFocusChanged() broadcast: an incoming call triggers the ringer, so the focus shifts.3) "Full Internet access": while I mostly share your opinion, it's hard to avoid this permission. About 75% of all apps request it (leaves not much to install then ;) Ah, and it's mostly for the ads; so sometimes one can get around it by... well, buying the full version.4) "Manage Accounts": Here you write "there is a theoretical possibility that a malicious app could delete your Google account from your device". Not true. An app with this permission can *create* any account, but it can only modify/delete accounts it has created itself. For details, please see here: http://android.stackexchange.com/a/44295/165755) "Install Packages": Leaves me confused. You write "This app permission is important for alternative app stores (like AndroidPIT)." According to my references, this permission has protection-level "System". So it would only get effective as system app. Though, I've seen several apps on play requesting it. Might be an error in the documentation (wouldn't be the only one).6) "Take photos or video": you think "in practice, it's quite hard for an app to operate your camera". I wonder what all those camera apps do then :) But yes, hard to control what's in front of the lense :)

Said it before: apps wanting better debug infos can use java.util.logging instead of android.log. there is no need to request the logging privilege unless your app is called "logcat viewer" none at all.